Spyware, viruses, & security forum: NEWS - February 01, 2013

New York Times Accuses Chinese Military of Hacking Computer Systems [REPORT]

January 31, 2013

As one of the biggest and most brazen journalism companies in the world, The New York Times is always under a watchful eye. What makes it even more difficult for the paper to do business is that fact that it's constantly being bombarded by hackers and other outlets looking to corrupt the news.

The New York Times has published a surprising report suggesting that the government of China is responsible for a multi-month digital attack against the computer systems at the paper. The newspaper company suggests that the attacks were politically motivated, and they could be an operation of the Chinese military.

"Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times's network," reports the New York Times. "They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen's relatives, and Jim Yardley, The Times's South Asia bureau chief in India, who previously worked as bureau chief in Beijing."

Apple has worked to distance itself from Java in recent years. The company deprecated its own version of the Java virtual machine for OS X, instead deferring development to Oracle itself. The browser plugin in particular has become a common vector for malware attacks, and Apple removed the Java Web plugin from recent versions of OS X last year. Those needing the plugin must install it separately.

Apple has also added additional security controls to OS X, including a mechanism that forces its Safari browser to use a minimum specified version of various plugins, such as Flash or Java. When security vulnerabilities are discovered in various plugins, Apple can update its Xprotect list to specify which version is acceptable. Earlier versions of plugins are then blocked from running within Safari.

Popular webmail provider Yahoo has been slammed with a new e-mail-based attack that seizes control of victims' accounts. Bitdefender Labs discovered the ongoing campaign today and are once again warning users about the dangers of clicking spammy links.

The account hijacking begins with a spam message with a short link to an apparently harmless session of the reliable news channel MSNBC (hxxp://www.msnbc.msn.com-im9.net[removed]).

A closer look at the real link reveals that the true domain is not part of MSNBC, but a crafty domain composed of subdomains at hxxp://com-im9.net.

The domain was registered in Ukraine on Jan 27 and is hosted in a data center in Nicosia, Cyprus. This page contains a piece of malicious JavaScript, disguised as the popular Lightbox library that will perform the attack in stage 2. [Screenshot]

A few weeks ago, we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least 12 different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors. [Screenshot]

In choosing their targets, the attackers identified individuals in important roles, including directors and vice presidents. The content of all the emails were identical. The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make it seem as though this email originally came from the company that authored the report. The emails were also crafted to look as though they were being forwarded by internal employees or by individuals from within the industries identified.

Java 7 update 11 was released two weeks ago to deal with an unpatched vulnerability which had gone mainstream with its incorporation into cybercrook toolkits such as the Blackhole Exploit Kit in the days beforehand. Attacks were restricted to systems running Java browser add-ons.

But Oracle's response appears to have caused some collateral damage.

JNBridge, which provides Java and .NET interoperability tools, reports that customers of software providers who use its technology came a cropper in cases where users had applied the latest Java update (Java 7u11). The software developer blogged about the issue here.

Oracle has decided that, in order to fix extensively reported security problems, they will not only update Java 7 (their latest version of Java), they will also completely delete a completely separate product.

Worse, it appears that they are taking it upon themselves to replace installations of Java 6 with Java 7 even if the users have only Java 6 on their machines.

We followed up with Wayne Citrin, chief technology officer at JNBridge, who shed some light on the practical issues created by Oracle's recent Java update. "We provide a Java/.NET bridge, and one of the interoperability mechanisms allows the .NET and Java to run in the same process," Citrin explained. "To do this, the user needs to supply the absolute path to the jvm.dll file belonging to the JRE that they plan to use.

Yesterday as I was testing Facebook's Graph Search, which is in Beta, I searched for the following: women who live in Helsinki, Finland and who like sushi. (I wanted something that would get lots of results. It did.)

Then today, a sponsored story for a Helsinki-based sushi restaurant appeared in my News Feed. [Screenshot]

Perhaps it's just a coincidence...

In any case, today, continuing my testing, I searched for people with my name who live in Finland. (The result: me and another guy.) Graph Search will definitely make it easier for your Facebook profile to be found by others.

Here's a couple of things to check on just to make sure you don't have anything exposed.

Google Chrome users are being targeted these days by a wave of attacks that uses malicious extensions hosted in the official Chrome Web Store. The attack appears to be of Turkish origin and is using Facebook to spread. We saw users of different nationalities infected with the malicious extensions, which the cybercriminals are sending to the official store regularly, in a cat-and-mouse game.

As we already reported in March 2012, Brazilian cybercriminals were able at that time to host a malicious extension in the Chrome Web Store. Since then in June 2012 Google has changed the way users can add third party browser extensions i.e. not allowing the installation that are not hosted on the official Web Store. More recently Google removed the possibility of silent installations, which has been widely abused by third parties.

Maybe for these reasons bad guys started to concentrate their efforts to upload bad extensions to the official store. Now it's the turn of Turkish cybercriminals; they were able to host several extensions there in the last few days.

"Black Hat Europe researcher builds prototype device that could be used to steal corporate data, listen in on voice calls, videoconferences"

You know that docking station you snap your laptop into at the office? It can be hacked, too.

A British researcher next month at Black Hat Europe will show just how valuable those seemingly benign devices can be to a determined attacker targeting an organization or group of users. Andy Davis, research director for UK-based NCC Group, built a prototype hardware device that can easily be placed inside a laptop docking station to sniff traffic and ultimately, steal sensitive corporate communications information from the laptop.

"You see docking stations all over the place in organizations because people are using hot-desking type environments, so different laptops can be attached to them [the docks] each day," Davis says. "And they are considered a trusted part of the infrastructure: nobody thinks someone might tamper with one or swap one for another. Admins are more concerned with protecting your laptop: that's where the money is and the information."

One day after The New York Times reported that Chinese hackers had infiltrated its computers and stolen passwords for its employees, The Wall Street Journal announced that it too had been hacked.

On Thursday, The Journal reported that it had been attacked by Chinese hackers who were trying to monitor the company's coverage of China. It said hackers had broken into its network through computers in its Beijing bureau.

In a written statement, the business newspaper owned by News Corporation described the attack as an "ongoing issue" and said it was working closely with authorities and security specialists to clean up its systems. It said that it completed a "network overhaul" on Thursday in an effort to rid its systems of hackers.

China's Ministry of National Defense has denied any involvement in the cyberattack at The Times or any other American corporations.

While Android malware continues to grow faster than other malware types, it still accounts for only a minute fraction of all malware on the Web, according to Cisco's annual security report released this week.

"These types of attacks often represent malicious code on 'trusted' webpages that users may visit every day— meaning an attacker is able to compromise users without even raising their suspicion," the report added.

"Web malware encounters occur everywhere people visit on the Internet—including the most legitimate of websites that they visit frequently, even for business purposes," said Mary Landesman, senior security researcher with Cisco. "Indeed, business and industry sites are one of the top three categories visited when a malware encounter occurred. Of course, this isn't the result of business sites that are designed to be malicious."

Carol, I see a lot of posts recommending Firefox and Chrome over IE here and in other places, and never see ones recommending IE. I remember Bob Proffitt saying he gave up on IE several years ago. So I'm wondering what the market shares are for these 3 browsers, would you happen to know the answer or where that info might be posted? TIA

I still use IE in a pinch when some site/app/thing doesn't work. For example I ran into some router that would not setup in FireFox or Chrome. It did in IE. I don't mind IE at all. But it's a target and after a decade it seems like they would have it nailed by now.

I think I know why it's taken this long. The goals at this company are not what they seem, unless you know what they are. It's not "security first" but something else.Bob

Thanks, Bob. That's a real surprise to me, I'd have guessed somewhere in the 50% range. And Chrome is ahead of Firefox 47% to 31%. That's another surprise to me, although I normally use Chrome to keep 9 CNET forums open. We still have to use IE for Windows updates, and I use it for the MS forums, but I've just run into too many IE bugs for much of anything else. I thought I was in the minority, but here I find it's not just us geeks who've switched. MS will hype IE10, but in my limited use of it in my Windows 8 test computer, I don't see anything significant to me. And as of today, you will pay $199 for the Windows 8 Pro upgrade we paid $40 for yesterday ($119 for the basic version).

Carol, your link says IE has a 55% market share, Bob's says 14.7%. One of these has to be wrong! Yours does include earlier versions, so maybe Bob's just looked at IE9, but there's still a discrepancy.

I don't know how Bob does it, he comes up with more answers more times than any 3 other folks I've ever seen. Do you think he ever sleeps? He sure doesn't let the grass grow under his feet. I guess this proves the old saying about how figures don't lie, but liars can figure?

Thanks for the other stats. It's a loaded question as those that have something to gain or lose will measure it differently. For example, MSFT may drop Android and Apple devices since that would really skew the numbers in ways they don't want to see.

Kim Dotcom is so confident in the security system at Mega, the newly launched file storage service, that the New Zealand-based German is offering a bounty of €10,000 (approx. US$13,580) to the first person who breaks it.

Last week, Dotcom said that he would offer up a prize for any enterprising hackers, after the site was criticized for the way that it handles security. A Mega blog post dismissed points raised by Ars Technica and Forbes, explaining that the site will soon be boosted by new measures, including a change password feature and more, to increase the security of accounts and data.

The bounty offer is part of Mega's ongoing focus on improvement while it is in beta — "You find a bug. We fix it," Dotcom said last week, and such financial carrots are dangled by most major tech firms, albeit in a less public fashion. Facebook, Google, Dropbox and countless others provide developers with cash payments and official acknowledgements if they find bugs and issues.

Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.

In October 2012, forensics experts with Trustwave Spiderlabs were called in to examine the handiwork of several Bluetooth based point-of-sale skimmers found at a major U.S. retailer. The skimmers described and pictured in this blog post were retrieved from a retail breach that has not yet been disclosed, said Jonathan Spruill, a security consultant at Trustwave.

Spruill said the card-skimming devices that had been added to the small point-of-sale machines was beyond anything he'd encountered in skimmer technology to date.

"The stuff we've been seeing lately is a leap forward in these types of crimes," said Spruill, a former special agent with the U.S. Secret Service. "You hate to say you admire the work, but at some point you say, 'Wow, that's pretty clever.' From a technical and hardware standpoint, this was really well thought-out."

There's currently a number of "Twitter Verified" style accounts posting to Twitter, asking users to "Retweet to become verified", or posting up peculiar minigames along the lines of "The last person to RT this Tweet becomes verified". It's all rather odd, and shows no sign of slowing down. [Screenshot]

At this point, we've seen the following accounts posting similar content:

freeverify seems to be unrelated, with the last Tweet appearing back in August (humorously, it also mentions "we have not been verified as it takes 1 to 3 months to be totally verified". It takes up to 3 months for Twitter to verify itself?)

Along with asking for Retweets, some of the accounts seem to be looking for recently verified individuals, then sending them a Tweet to say "you're verified" shortly afterwards. By doing so, it would appear to anybody looking on that they had indeed just verified somebody.

Banking malware has primarily been just that, an attack tool used against financial institutions to steal money from online bank accounts. But what if cybercrime gangs decided to flip that on its head, and use malware such as the Citadel banking Trojan to steal credentials from not only banks, but government agencies and commercial businesses?

That situation apparently has been in play since late December. McAfee reported this week that it has observed an uptick in attacks, primarily in Europe, where Citadel has been used to attack government offices in Poland, businesses in Denmark and Sweden, as well as government agencies in Japan.

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Track this thread and email me when there are updates.Please read before posting

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Old Thread Warning!

This thread is more than days old. It is very likely that it does not need any further discussion and replying to it will serve no purpose. However, if you feel it is necessary to make a new reply, you can still do so.

I am aware that this thread is old, but I still want to post a reply.

Checkbox must be checked in order to post in this old thread.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.